Hello everyone,
At the risk of re-asking an old question, can I ask for help on setting up
Kerberos authentication for the coda client?
I am running Coda 6.9.5-11 both client and server on Fedora 20 (different
hosts) installed from standard Fedora RPM packages. Everything works fine
using auth2 authentication.
Kerberos is installed as part of FreeIPA 3.3.4-3. The FreeIPA and Coda servers
run on the same host. Kerberised logins and NFS work fine on FreeIPA.
I have created a service principal codaauth/server.wasielewski@WASIELEWSKI and
exported the keytab file to /vice/db/krb5.keytab. In /etc/coda/server.conf I
have the following Kerberos-relevant setup:
# kerberos5service contains "%s" which will be substituted with a hostname,
# for a usual DCE setup it would be "hosts/%s/self
kerberos5servprinc=codaauth/server.wasielewski@WASIELEWSKI
kerberos5service=host/%s/self
kerberos5realm=WASIELEWSKI
kerberos5keytab=/vice/db/krb5.keytab
If I try to clog in using Kerberos I get the following error message on the
client:
[Andrew@ivanka-laptop ~]$ clog -kerberos5 codauser2@server.wasielewski
username: codauser2@server.wasielewski
krb5.c: No credentials cache found while preparing AP_REQ
kinit: Client 'Andrew@WASIELEWSKI' not found in Kerberos database while getting
initial credentials
krb5.c: No credentials cache found while preparing AP_REQ
Failed to get secret for server.wasielewski
Invalid login (RPC2_FAIL (F)).
...and this in the krb5kdc.log file on the server
Mar 11 23:23:58 server.wasielewski krb5kdc[31135](info): AS_REQ (6 etypes {18
17 16 23 25 26}) aaa.bbb.ccc.ddd: CLIENT_NOT_FOUND: Andrew@WASIELEWSKI for
krbtgt/WASIELEWSKI@WASIELEWSKI, Client not found in Kerberos database
(client IP address obfuscated as "aaa.bbb.ccc.ddd")
codauser2 exists as both a FreeIPA and a Coda user, and I can log in fine using
normal Linux login and auth2 respectively. Whatever options I give clog, it
seems to take the Linux username and apply that as the Coda user.
If I log in as codauser2, I get some different output:
-sh-4.2$ clog -kerberos5 codauser2@server.wasielewski
username: codauser2@server.wasielewski
krb5.c: Server not found in Kerberos database while preparing AP_REQ
Password for codauser2@WASIELEWSKI:
krb5.c: Server not found in Kerberos database while preparing AP_REQ
Failed to get secret for server.wasielewski
Invalid login (RPC2_FAIL (F)).
-sh-4.2$ ctokens
Tokens held by the Cache Manager for codauser2:
@server.wasielewski
Not Authenticated
...and on the server:
Mar 11 23:30:25 server.wasielewski krb5kdc[31134](info): TGS_REQ (6 etypes {18
17 16 23 25 26}) aaa.bbb.ccc.ddd: LOOKING_UP_SERVER: authtime 0,
codauser2@WASIELEWSKI for host/SERVER.WASIELEWSKI@WASIELEWSKI, Server not found
in Kerberos database
Mar 11 23:30:25 server.wasielewski krb5kdc[31134](info): TGS_REQ (6 etypes {18
17 16 23 25 26}) aaa.bbb.ccc.ddd: LOOKING_UP_SERVER: authtime 0,
codauser2@WASIELEWSKI for host/SERVER.WASIELEWSKI@WASIELEWSKI, Server not found
in Kerberos database
Mar 11 23:30:25 server.wasielewski krb5kdc[31134](info): AS_REQ (6 etypes {18
17 16 23 25 26}) aaa.bbb.ccc.ddd: NEEDED_PREAUTH: codauser2@WASIELEWSKI for
krbtgt/WASIELEWSKI@WASIELEWSKI, Additional pre-authentication required
Mar 11 23:30:39 server.wasielewski krb5kdc[31135](info): AS_REQ (6 etypes {18
17 16 23 25 26}) aaa.bbb.ccc.ddd: ISSUE: authtime 1394580639, etypes {rep=18
tkt=18 ses=18}, codauser2@WASIELEWSKI for krbtgt/WASIELEWSKI@WASIELEWSKI
Mar 11 23:30:39 server.wasielewski krb5kdc[31135](info): TGS_REQ (6 etypes {18
17 16 23 25 26}) aaa.bbb.ccc.ddd: LOOKING_UP_SERVER: authtime 0,
codauser2@WASIELEWSKI for host/SERVER.WASIELEWSKI@WASIELEWSKI, Server not found
in Kerberos database
Mar 11 23:30:39 server.wasielewski krb5kdc[31134](info): TGS_REQ (6 etypes {18
17 16 23 25 26}) aaa.bbb.ccc.ddd: LOOKING_UP_SERVER: authtime 0,
codauser2@WASIELEWSKI for host/SERVER.WASIELEWSKI@WASIELEWSKI, Server not found
in Kerberos database
Can anyone see where I am going wrong? I have read about a "modular clog", but
not clear where/how I get and use it, nor whether it is already part of the
Coda client.
Thanks in advance,
Andrew
